Hello,

I am asking too much, but keyfile with stunnel is required to be stored on disk (I am aware about file permission applied) and is in plain text. Is there any way we can encrypt the keyfile and then store, and then subsequently ask stunnel to obtain the decryption key somehow and then  use it.

 

For encryption/decryption of the key, stunnel (or some other program) can give network based ability(service over socket) to provide the key so key can be encrypted by the third party(who generates the config for stunnel). Stunnel config option will specify key is encrypted and therefore stunnel knows why and how to decrypt it.

Of course you will ask me to implement my own custom algo for this, but I am checking if anybody has thought about it or in such case, how they have worked on it. I was told, there is also basic level of FIPS compliance requirement that requires key not to be stored on disk in plain text irrespective of file permission.

 

 

Thank you.

Madhava